Too many words about DIDs

Too many words about DIDs

Jul 14, 2026 | ATProto & Bluesky

Your “Bluesky account” is not just a Bluesky account: it is an account that can be used with a variety of other applications. This post is going to be an exploration of part of what that means from a technical perspective, so if you’re not a software developer, this post isn’t for you. But what I’m going to explain is the technical mechanism for how your account works separate from Bluesky, and in fact, separate from any particular app.

你的“Bluesky 账号”不仅仅是一个 Bluesky 账号:它是一个可以与多种其他应用程序配合使用的账号。本文将从技术角度探讨这意味着什么,因此如果你不是软件开发人员,这篇文章可能不适合你。但我将解释的是你的账号如何独立于 Bluesky(甚至独立于任何特定应用)运作的技术机制。

Let’s talk about identity: who are you, anyway? Users of a system need some sort of way to describe who they are to use it. If you want to log in, you need to present who you are. If you want to make a post, well, we need to know who the author of that post is. For atproto, the protocol that underlies Bluesky and other apps in the ATmosphere, they use the “Decentralized Identity” standard, also known as DID. The W3C standardized DIDs in 2022.

让我们谈谈身份:你到底是谁?系统的用户需要某种方式来描述他们是谁才能使用它。如果你想登录,你需要证明你的身份。如果你想发布内容,我们需要知道该帖子的作者是谁。对于 atproto(Bluesky 和 ATmosphere 中其他应用的基础协议)而言,它们使用的是“去中心化身份”(Decentralized Identity)标准,即 DID。W3C 在 2022 年将 DID 标准化。

As you might guess from the name, DIDs are, an identifier that you can use as the basis of identity for building applications. And the idea is that these identifiers are decentralized. However, a lot of people have a lot of feelings about that specific word, and often accuse atproto of not being properly decentralized. We’re going to go over the details so you can understand how this works, and you can decide for yourself if this approach suits you or not.

正如你从名字中可能猜到的那样,DID 是一种标识符,你可以将其用作构建应用程序的身份基础。其核心理念是这些标识符是去中心化的。然而,许多人对这个词有各种看法,并经常指责 atproto 不够“去中心化”。我们将深入探讨细节,以便你了解其运作方式,并自行判断这种方法是否适合你。

DIDs and DID Documents

DID 与 DID 文档

Here is my DID, we’ll use this as an example: did:plc:3danwc67lo7obz2fmdg6jxcr There are three parts, separated by colons: The scheme (did), the method (plc), and the DID method-specific identifier (3danwc67lo7obz2fmdg6jxcr).

这是我的 DID,我们以此为例:did:plc:3danwc67lo7obz2fmdg6jxcr 它由冒号分隔的三部分组成:方案(did)、方法(plc)以及 DID 方法特定的标识符(3danwc67lo7obz2fmdg6jxcr)。

To use a DID, such as did:plc:3danwc67lo7obz2fmdg6jxcr, you resolve it into a DID Document: A set of data describing the DID subject, including mechanisms, such as cryptographic public keys, that the DID subject or a DID delegate can use to authenticate itself and prove its association with the DID. That document contains various properties that describe the identity.

要使用像 did:plc:3danwc67lo7obz2fmdg6jxcr 这样的 DID,你需要将其解析为“DID 文档”:这是一组描述 DID 主体的数据,包括加密公钥等机制,DID 主体或其代理可以使用这些机制进行身份验证,并证明其与该 DID 的关联。该文档包含描述身份的各种属性。

Here’s my DID Document, at the time of writing: (JSON omitted for brevity)

这是我撰写本文时的 DID 文档: (此处省略 JSON 内容)

This document gives you everything you need to know to determine who I am, that is, given an arbitrary post that claims it’s written by me, this document describes how you’d verify that claim. We’ll get into how to do that in a moment, but first, how do you resolve that DID into that DID document? Well, it’s pretty easy: each method is a standard that describes how you do that. So when you see did:plc, that means we use the PLC standard, which we’ll be going over in a moment. Another method supported by Bluesky is did:web. In that case, you wouldn’t use the PLC standard, you’d use the Web one.

这份文档提供了确定我身份所需的一切信息。也就是说,如果有一篇声称由我撰写的帖子,这份文档描述了你该如何验证这一声明。我们稍后会讨论具体操作方法,但首先,你如何将 DID 解析为 DID 文档?其实很简单:每种方法都是一个描述解析过程的标准。因此,当你看到 did:plc 时,意味着我们使用 PLC 标准,我们稍后会详细介绍。Bluesky 支持的另一种方法是 did:web。在这种情况下,你不会使用 PLC 标准,而是使用 Web 标准。

This is the sense in which DIDs are decentralized: when you present your identity, you get to decide what method validates that that is a real identity. There’s no centralized authority that determines which DID types are valid. Now, of course, that doesn’t mean that every application supports every DID method, because while this specification is very generic, you’re still going to have to write some code to implement that particular method. I could say “Hey I’m did:foo:1243” and unless your app supports the foo method, it’s not gonna inherently just know what to do. So that is one important caveat.

这就是 DID 去中心化的意义所在:当你展示身份时,你可以决定用什么方法来验证该身份的真实性。没有中央权威机构来决定哪些 DID 类型是有效的。当然,这并不意味着每个应用程序都支持每种 DID 方法,因为虽然该规范非常通用,但你仍然需要编写代码来实现特定的方法。我可以声称“嘿,我是 did:foo:1243”,但除非你的应用支持 foo 方法,否则它不会自动知道该怎么做。这是一个重要的注意事项。

did:web

did:web

Let’s explain this resolution process for the web method. While supported by Bluesky, a very small number of users actually use did:web, but it’s a simpler method and so I think it’s illustrative to go over first. I’ll be using Liz Fong-Jones did:web account as an example here. Her identity for that account is did:web:lizthegrey.com.

让我们解释一下 web 方法的解析过程。虽然 Bluesky 支持该方法,但实际上只有极少数用户使用 did:web,不过因为它更简单,我认为先介绍它很有启发性。我将以 Liz Fong-Jones 的 did:web 账号为例。她该账号的身份是 did:web:lizthegrey.com

So how do we resolve this DID into a DID Document? We take the method-specific identifier, which in this case is lizthegrey.com, and put it into this URL template: https://<id>/.well-known/did.json You can then go fetch this URL to resolve it into the DID Document, which at the time of writing, looks like this: (JSON omitted for brevity)

那么我们如何将这个 DID 解析为 DID 文档呢?我们取其方法特定的标识符(在本例中为 lizthegrey.com),并将其放入此 URL 模板中:https://<id>/.well-known/did.json 然后,你可以获取该 URL 以将其解析为 DID 文档,撰写本文时,其内容如下: (此处省略 JSON 内容)

This is very simple! So why might we not want to use did:web? Why bother with any other system? Well, this relies on the DNS system. One could make the argument that ultimately, this is still centralized in some form. If Liz’s domain registrar were to take away her domain, she would also lose control of this DID. In a more generic sense, if Liz decides she wants to not use that domain anymore, she will lose control of that identity to whoever does. That could be through non-malicious means, like letting it expire and someone else purchases it, or through malicious ones, like a hack which would compromise her registrar account and take the domain over. Also, you need to have a web server running on that domain with infinite uptime; if the server goes down, so does your ability to get the document.

这非常简单!那么,为什么我们可能不想使用 did:web?为什么要费心使用其他系统呢?嗯,因为它依赖于 DNS 系统。有人可能会争辩说,归根结底,这在某种程度上仍然是中心化的。如果 Liz 的域名注册商收回了她的域名,她也将失去对该 DID 的控制权。从更广泛的意义上讲,如果 Liz 决定不再使用该域名,她将失去对该身份的控制权,而控制权将落入接手该域名的人手中。这可能是非恶意的(例如域名过期被他人购买),也可能是恶意的(例如黑客入侵她的注册商账号并夺取域名)。此外,你需要在该域名上运行一个永不宕机的 Web 服务器;如果服务器宕机,你获取文档的能力也会随之消失。